On Dec 20, 2016, at 5:50 PM, Craig Rodrigues <rodrigc@crodrigues.org> wrote:

Ah, OK.  In my testing, I had this in my server's /etc/ssh/sshd_config file to force
use of ECDSA keys during my testing:


# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key


If I then logged into the server with:
 conch 192.168.1.2

, then having an ecdsa key in ~/.ssh/known_hosts
worked fine and I could log in.  Before the latest patches, the ecdsa keys were not
being parsed properly and this never worked at all.

If I changed the config on the server to:

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

I got a bad host key error with conch, same as if I tried to log into buildbot.twistedmatrix.com.
I put this:

import pudb; pudb.set_trace()

on this line inside _continue_KEX_ECDH_REPLY() :
https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1671

Did you mean https://github.com/twisted/twisted/blob/71643ca93e024d33dba8de9eef149876554c2dd7/src/twisted/conch/ssh/transport.py#L1674 ?

What I then found was that on this line:

hostkey, pubKey, signature, packet = getNS(packet, 3)


The host key is an RSA key.  Then this line in the same function:

 d = self.verifyHostKey(hostKey, fingerprint)

tries to compare the hostKey for 192.168.1.2 (which is RSA), against
the key in ~/.ssh/known_hosts which is ecdsa.  It then fails and returns a bad host key error.

I also get this problem when trying to do conch buildbot.twistedmatrix.com

So... is this because buildbot.twistedmatrix.com has an RSA key as well, and when it offers it, our checking isn't correctly comparing the type before deciding that it doesn't match, or allowing for multiple keys?  I notice that if I manually add the RSA key and delete the ECDSA key it seems to work.

-g

--
Craig


On Tue, Dec 20, 2016 at 5:13 PM, Glyph Lefkowitz <glyph@twistedmatrix.com> wrote:
Here's buildbot's key:

buildbot.twistedmatrix.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcw4pr6WdgDMw7PbkvsuEdCqKQTtpLYPGoe7qkuQucuexYBiCkO/BeoB0wANX2cVmxUP0llpYJQL4w3cAR0csA=

I think you should be able to validate that even if you can't auth :)

-g


On Dec 20, 2016, at 4:54 PM, Craig Rodrigues <rodrigc@crodrigues.org> wrote:

I'm not sure. I was able to use conch to log into a box where the ecdsa key looked like this in my ~/.ssh/known_hosts

192.168.1.2 ecdsa-sha2-nistp256 XXXXXXXXXX

--

Craig



On Tue, Dec 20, 2016 at 4:10 PM, Glyph Lefkowitz <glyph@twistedmatrix.com> wrote:
It works:

$ conch twistedmatrix.com echo hooray
hooray
      $ conch --version
Twisted version: 16.6.0dev0

That's using an RSA host key though.  It seems that the hosts I have using ECDSA keys (buildbot.twistedmatrix.com, for example) still don't work with conch.  Is that expected at this point?

-glyph

On Dec 20, 2016, at 2:32 PM, Craig Rodrigues <rodrigc@crodrigues.org> wrote:

On Friday, December 2, 2016, Glyph Lefkowitz <glyph@twistedmatrix.com> wrote:
I think there might be a regression in 16.6.0.

For every version up to 16.6.0, I can do 'conch twistedmatrix.com' in a shell and it works fine.

I believe that I have fixed this in trunk.
Can you try this with conch in trunk?

This works for me in trunk:

1.  Start with an empty ~/.ssh/known_hosts file , or one with an ecdsa key for myhost.com
2.  ssh myhost.com
3.  log out of myhost.com
3.  see that ~/.ssh/known_hosts contains an ecdsa host key for myhost.com
4.  conch myhost.com
5.  successfully log into myhost.com with conch

Before the latest fixes, I would get a bad host key error in step 5.

Many thanks to the0id and acabhishek942 for providing the ecdsa fixes to conch.

--
Craig
 
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python


_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python


_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python


_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python


_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python